[PATCH] base-files: Don't enable ULA IPv6 addresses by default in new config

Oldřich Jedlička oldium.pro at gmail.com
Tue Oct 18 07:46:54 PDT 2022


út 18. 10. 2022 v 16:43 odesílatel Oldřich Jedlička
<oldium.pro at gmail.com> napsal:
>
> Hi,
>
> pá 9. 9. 2022 v 11:21 odesílatel Torsten Duwe <duwe at lst.de> napsal:
> >
> > On Thu, 8 Sep 2022 19:51:06 +0200
> > Thibaut <hacks at slashdirt.org> wrote:
> >
> > > The issue was random. The client had a GUA assigned, below is the ipv6 routing table at the time of the issue:
> > >
> > > $ ip -6 route
> > > 2a0e:e701:11c2::/64 dev bond0 proto kernel metric 256 expires 7082sec pref medium
> > > fdc9:6d06:832a::/64 dev bond0 proto kernel metric 256 pref medium
> >
> > So AFAICS here lies the problem. Same metric, same preference.
> > The addresses below are usually tagged link local somewhere, but
> > I assume the ULA is not.
>
> When pinging a public IPv6 address the default route should be used.
> This should have nothing to do with the two routes above
> (2a03:b0c0:3:d0::160e:e001 IPv6 address has no match here).
>
> > > fe80::/64 dev bond0 proto kernel metric 256 pref medium
> > > fe80::/64 dev bond0.10 proto kernel metric 256 pref medium
> > > default via fe80::184f:a7ff:fe21:d230 dev bond0 proto ra metric 1024 expires 1793sec mtu 1492 hoplimit 64 pref medium
>
> This default route over bond0 should be actually used during pinging
> of git.openwrt.org (2a03:b0c0:3:d0::160e:e001).
>
> > > For that matter, this setup only uses SLAAC (no DHCPv6 on LAN).
>
> When you are pinging global addresses, also global IPv6 address should
> be used independently of the presence of ULA. For your public IPv6
> prefix 2a0e:e701:11c2::/64 any ping outside should use the IPv6
> address of your computer having this prefix. I would be interested in
> which address is actually used during pinging. Please share your `ip
> -6 address` too. And if possible, also please share `tcpdump -i bond0
> -nv icmp6` while the computer is pinging. Important - all of this
> assumes that you are delegating your public IPv6 prefix from the
> router to all computers (I used to have a static IPv6 configuration on
> my OpenWrt router with option `ip6prefix` for that purpose).
>
> There is also a possibility that you mentioned - have NAT66 (ULA to
> public IPv6 prefix translation) on the router. This means that you
> could remove the public prefix delegation and just keep the ULA
> configured. All computers would use the ULA prefix when accessing
> public addresses. In this case you would need to change the firewall
> and add the following SNAT rule to the NFT firewall for the srcnat_wan
> chain:
>
>   ip6 saddr fdc9:6d06:832a::/61 snat prefix to 2a0e:e701:11c2::/64

Sorry, typo here, prefix length should be 64 in both cases:

  ip6 saddr fdc9:6d06:832a::/64 snat prefix to 2a0e:e701:11c2::/64

Oldrich.

> > >
> > > Disabling ULA « fixes » this issue.
>
> There is probably some different issue in your configuration, which
> causes this behaviour.
>
> Oldrich.
>
> > Sure. Above, it looks like a game of chance which address is used.
> >
> > From my understanding, router.lan would need to be told to do IPv6 NAT
> > if clients are to reach outside with their ULAs, right?
> >
> > If I get a vote, I'd enable ULA generation only iff an IPv6 NAT was also
> > configured, and, last but not least, I wouldn't randomise it. I'd go for
> > e.g. fd00:4f57:5254 ("OWRT"), like all AVR use 192.168.178.0/24 on v4.
> >
> >         Torsten
> >
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel at lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list